On Fri, Nov 6, 2009 at 8:50 AM, Marco Savo wrote: > Thanks, but currently I have an embedded linux board (based on openwrt) > that use busybox, and there isn't netstat, neither nmap or lsof command. I > guess i can read /proc/net/tcp or udp, but iptables doesn't show a list of > used ports? > > On Fri, Nov 6, 2009 at 1:49 PM, Lisa Kachold wrote: > >> >> >> On Fri, Nov 6, 2009 at 5:30 AM, Craig White wrote: >> >>> On Fri, 2009-11-06 at 13:13 +0000, Marco Savo wrote: >>> > Hello, >>> > configuring iptables rules, >>> > how I can find out if one port number I want to use is already in >>> > use? >>> > example: >>> > >>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol udp >>> > --dport ${UDP_PORT} --destination localhost >>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol tcp >>> > --dport ${TCP_PORT} --destination localhost >>> > $IPTABLES -t nat -I zone_wan_prerouting 1 -j ACCEPT --protocol tcp >>> > --dport ${TCP_HOST_PORT} --destination localhost >>> > >>> > How I can check if these ports (UDP_PORT TCP_PORT TCP_HOST_PORT) are >>> > in use from another application? >>> ---- >>> you can use netstat - for example, I might check for port 10000... >>> # netstat -an|grep 10000 >>> tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN >>> udp 0 0 0.0.0.0:10000 0.0.0.0:* >>> >>> Craig >>> >>> >>> You can also use nmap >> >> # nmap localhost >> >> or >> >> # netstat -anpt >> >> to see what is listening on what (depending on your distro - check syntax) >> >> > -- > 'The Magic Is In the Movement' > > Marco Savo > SW Engineer > > 882 East Glenn St. > Tucson, AZ 85719 > +1 (520) 248-5681 > > Hey Marco, 1) Your netstat is probably going to be your best solution: This is how you install netstat-nat (for instance) on OpenWRT: #ipkg install http://tornado.stormchasers.dk/openwrt/netstat-nat_1.4.3_mipsel.ipk Netstat should be similar (just find the right version). Reference: https://forum.openwrt.org/viewtopic.php?id=6676 2) You can also use lsof (this one is for the whiterussian version of OpenWRT, so check your packages): # ipkg install http://jackassofalltrades.com/openwrt/whiterussian/packages/lsof_4.77-1_mipsel.ipk # lsof -i 3) Nmap IPTABLES testing: You can still nmap from both the inside interface(s) (from a linux machine or VMware machine - nmap is available for Window$s also) and from an online nmap portal to see what is available and listening on the outside WAN interface. http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/s1-server-ports.html Some people configure their iptables with only nmap against each interface with the assumption that if it's not listening with iptables down, it doesn't need to be protected (be sure and check cron and anacron for any scripts edited if this is a possible encroached system). 4) IPTABLES kernel conntrack-tools assist to make really fine tables. Did you hand engineer your imbedded sources for that box? Are you using connection tracking: (it's a small binary build) http://conntrack-tools.netfilter.org/conntrack.html http://svn.netfilter.org/netfilter/trunk/conntrack-tools/conntrack.8 OpenWRT provides for conntrack (but there are bugs on some versions). -- Skype: (623)239-3392 AT&T: (503)754-4452 www.obnosis.com